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protocol overhead substantially as compared to the 
overhead of PEM when used in conjunction with an 
asymmetric key-management system. 

We have also described how this scheme may be 
5 used in conjunction with datagram multicast protocols, 

allowing a single encrypted datagram to be multicast to all 
the receiving codes. 
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What is claimed: 

30 

h Arne'thdd fonrartsmitting-artd 

cervihg^rjackets of data via a internetwork for a first host 
computer on a>first computer network to a second host 
computer on a sec&np^computer network, the first and 
35 / second computer networfovjncluding, respectively, first and 

second bridge computers, eachofssaid first and second host 
computers and first and second bridge computers including 
a processor and a memory for storing instruchQnsfor 
execution by the processor, each of said first and second 
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bridge computers further including memory for storing at 
least one predetermined encryption/decryption mechanism 
anoNinformation identifying a predetermined plurality of 
host computers as hosts requiring security for packets 
5 transmitted between them, the method being carried 

[carded] out be means of the instructions stored on said 
respective memories and including the steps of: 

(1 ) generating, by the first host computer, a first data 
packet for transmission to the second host computer, a 

1 0 portion of the da\a packet including information 

representing an internetwork address of the first host 
computer and internetwork address of the second host 
computer; \ 

(2) in the first bridge computer, intercepting the first 
1 5 data packet and determining whether the first and second 

LJ host computers are amonguhe predetermined plurality of 

host computers for which security is required, and if not, 
jj | proceeding to step 5, and if sck proceeding to step 3; 

01 (3) encrypting the first d^ta packet in the first bridge 

20 computer; 

in 

1= (4) in the first bridge computer, generating and 

$ appending to the first data packet ar^ encapsulation header, 

Q including: 

r*^ (a) key management information identifying the 

25 predetermined encryption method, and 

(b) a new address header representing the source and 
destination for the data packet, hereby generating a 
modified data packet; 

(5) transmitting the data packet from theVirst bridge 
30 computer via the internetwork to the second computer 

network; 

(6) intercepting the data packet at the second fridge 
computer; 

(7) in the second bridge computer, reading the 
35 encapsulation header, and determining therefrom whethV 

the data packet was encrypted, and if not, proceeding to 
step 1 0, and if so, proceeding to step 8; 
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(8) in the second bridge computer, determining 
which encryption mechanism was used to encrypt the first 
dataWcket; 

(9) \ decrypting the first data packet by the second 
bridge coitiputer; 

(10) transmitting the first data packet from the second 
bridge computer to the second host computer, and 

(11) receiving the unencrypted data packet at the 
second host computer. 

2. vThe method of claim 1 , wherein the 
new address header for the modified data packet includes 
the address of the second bridge computer. 

3. The method of claim 2, wherein the 
new address header for the modified data packet includes 
an identifier of the second briage computer. 

4. The method of claim 1 , wherein the 
new address header of the modifies data packet includes 
the address of the second host computer. 

5 . The method of claim 4, wherein the 
new address header for the modified da\a packet includes 
an identifier of the second bridge compu\< 



6. A system for automatically encrypting 

and decrypting data packets transmitted from a first host 
computer on a first computer network to a second host 
computer on a second computer network, including: 

a first bridge computer coupled to the first 
computer network for intercepting data packets transmitted 
from said first computer network, the first bridge computer 
including a first processor and a first memory storing 
instructions for executing encryption of data packets 1 
according to a predetermined encryption/decryption 
mechanism; 

a second bridge computer coupled to the seconJj 
computer network for intercepting data packets transmitted 
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said second computer network, the second bridge 
iputer including a second processor and a second 
menaory storing instructions for executing decryption of 
the data packets; 

said first host computer including a third 
processor and a third memory including instructions for 
transmitting a first said data packet from said first host to 
said seconci 

table stored in said first memory including 
10 a correlation of at least one of the first host computer and 

the first network with one of the second host computer and 
the second network, respectively; 

instructions stored in said first memory for 
intercepting said first data packet before departure from 
1 5 said first network, determining whether said correlation is 

present in said first table, and if so, then executing 
encryption of said first data packet according to said 
y j predetermined encryption&iecryption mechanism, 

y 3 generating a new address header and appending said new 

^ 20 address header to said first data packet, thereby generating 

a modified first data packet, anci transmitting said modified 
b first data packet on to the second\host computer; 

2l a second table stored in said second memory 

including a correlation of at least one of the first host 
Jj 25 computer and the first network with one of the second host 

UJ computer and the second network, respectively; 1 

instructions stored in said second memory for 
intercepting said first data packet upon arrival at said 
second network, determining whether said correlation is 
30 present in said second table, and if so, then executing 

decryption of said first data packet according ip said 
predetermined encryption/decryption mechanism, and 
transmitting the first data packet to the second hc^st 
computer. 
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7. The method of claim 6, wherein said 

new address header includes the internetwork broadca 
addresses uf thtrfifst-and secondjeomputer networks. 
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8. The method of claim 7, wherein said 
new address header includes an identifier of the second 
bridge computer. 

9. /he method of claim 6, wherein said 
new address heade/ includes the address of the second host 
computer. 
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1 0. / The method of claim 9, wherein said 
new address /leader includes an identifier of the second 
bridge computer. 



-11 A - meth o d fo r tran s mitting an d * 

receiving packets of data via an internetwork from a first 
host computer on a first computer network to a second host 
computer cm a second computer network, [the first and 
second computer networks,] each of said first and second 
host computers\ncluding a processor and a memory for 
storing instruction^ for execution by the processor, each 
said memory storing \t least on predetermined 
encryption/decryption mechanism and a source/destination 
table identifying a predetermined plurality of sources and 
destinations requiring security for packets transmitted 
between them, the method bein\ carried [carded] out by 
means of the instructions stored inNsaid respective 
memories and including the steps of\ 

(1 ) generating, by the first host cVnputer, a first data 
packet for transmission to the second hosrcomputer, a 
portion of the data packet including information 
representing an internetwork address of a source, of the 
packet and an internetwork address of a destination^ of the 
packet; 

(2) in the first host computer, determining whetfter 
the source and destination of the first data packet are 
among the predetermined plurality of sources and 
destinations identified in said source/destination table for 
which security is required, and if not, proceeding to step 5, 
and if so, proceeding to step 3; 
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encrypting the first data packet in the first host 

nputer; 

(4) \ in the first host computer, generating and 
appending to the first data packet an encapsulation header, 
5 includin 

(a) \ey management information identifying the 
predetermined encryption method, and 

(b) a new address header identifying the source and 
destination for the first data packet; 

10 (5) transmitting the first data packet from the first 

host computer via the internetwork to the second computer 
network; 

(6) in the second liost computer, reading the 
encapsulation header, ancMetermining therefrom whether 

1 5 the first data packet was encwpted, and if not, ending the 

method, and if so, proceeding;© step 7; 

(7) in the second host compter, determining which 
encryption mechanism was used to\ncrypt the first data 
packet; and 

20 (8) decrypting the first data packetyby the second 

host computer. 

1 2. The method of claim 1 1 , wherein the 
new address header for the modified data packet includes 
25 internetwork broadcast addresses of the first and seco\d 



1 3 . The method of claim 1 1 , wherein the 
source/destination table includes data identifying 
30 internetwork addresses of \he first and second host 

computers. 



44 k - s y s tem for a utomatically encrypting 

and decryptine data packets transmitted from a first host 
35 computer on a fir^eomputer network and having a first 

host computer on a first corrtputer network and having first 
processor and a first memory, viaafr4nternetwork to a 
second host computer on a second computeisrietwork and 
having a second host computer on a second cornpttfer 
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network and having a second processor and a second 
memory, the system including: 

\ security data stored in said first and second 
memories indicating that data packets meeting at least one 
predetermined criterion are to be encrypted; 

\ a predetermined encryption/decryption 
mechanism stored in said first and second memories; 

av decryption key stored in said second memory ; 

instructions stored in said first memory for 
determining whether to encrypt data packets, by 
determining whether said at least one predetermined 
criterion is met hv^ said data packet; 

instructions stored in said first memory for 
executing encryption^ according to said predetermined 
encryption/decryption^ mechanism of at least a first said 
data packet, when said\ at least one predetermined criterion 
is met, for generating a\ew address header for said first 
data packet and for appending an encapsulation header to 
said first data packet and transmitting said first data packet 
to said second host, said encapsulation header including at 



least said new address header; 

instructions stored in said second memory for 
receiving said first data packet, determining whether it has 
been encrypted by reference to said security data, and if so 
then determining which encryption/decryption mechanism 
was used for encryption, and decrypting said data packet 
by use of said decryption key. 



15. The system of claim 1'^, wherein: 



said security data comprises correlation data 
stored in each of said first and second memories 
identifying at least one of said first and second memories 
identifying at least one of said first host computer and said 
first network correlated with at least one of said second 
host computer and said second network; 

the system further including instructions stored in 
said first memory for determining whether to encryprdata 
packets by inspecting for a match between source and 
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^jestination addresses of said data packets with said 
correlation data. 

1 6. A system for automatically encrypting 
dataWckets for transmission from a first host computer on 
a firsiycomputer network to a second host computer on a 
second computer network, said first host computer 
including a first processor and a first memory including 
instructions for transmitting said data packets from said 

1 0 first host to^said second host, the system including: 

a bridge computer coupled to the first computer 
network for intercepting at least a first said data packet 
transmitted from said first computer network, said bridge 
computer including a second processor and a second 
1 5 memory storing instructions for executing encryption of 

*~f said first data pac bt according to a predetermined 

i_ L encryption/decryption mechanism; 

yj information stored in said second memory 

y j correlating at least one\of the first host computer and the 

20 first network with one of the second host computer and the 

J- second network, respectively; 

2 instructions stored in said second memory for 

J* intercepting said first data packet before departure from 

|_ L said first network, determining whether said correlation is 

J J 25 present, and if so, then executing encryption of said first 

-i J data packet according to said predetermined 

encryption/decryption mechanisnV generating a new 
address header and appending saidWw address header to 
said first data packet, thereby generating a modified first 
30 data packet on to the second host computer. 

1 7. A method for transmitting packets of 
data via an internetwork from a first host computer on a 
first computer network to a second host computer on a 

3 5 second computer network, the first computeV networks 

including a first bridge computer, each of said first and 
second host computers and said bridge computer further 
including memory storing at least one predeterrnined 
encryption/decryption mechanism and informatioVi 
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identifying a predetermined plurality of host computers as 
hosts requiring security for packets transmitted between 
them, the method being carried out according to the 
instructions stored in said respective memories and 
including the steps of: 

(1 ) \ generating, by the first host computer, a first data 
packet for transmission to the second host computer, a 
portion ofithe data packet including information 
representing an internetwork address of the first host 
computer and an internetwork address of the second host 



computer. 

(2) in the first bridge computer, intercepting the first 
data packet and (determining whether the first and second 
host computers are among the predetermined plurality of 
host computers forVvhich security is required, and if not, 
proceeding to step 5\ and if so, proceeding to step 3; 

(3) encrypting the first data packet in the first bridge 
computer; \ 

(4) in the first bridge computer, generating and 
appending to the first data packet an encapsulation header, 
including: \ 

(a) key management information identifying the 
predetermined encryption method, and 

(b) a new address headen representing the source and 
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destination for the data packet, 
thereby generating a modified data packet; and 
(5) transmitting the data packet from the first bridge 
computer via the internetwork to the 4 second computer 
rjelwadfe 




^ \ - 18.- A system for automatically decrypting 
data packets transmitted from a first computer to a second 
computer, the system comprising: 

a bridge coupled to the second computer for 
intercepting a data packbl from the first computer, the 
bridge including a processoKand a memory that stores 
instructions for decrypting datapqcketg; 

information stored in the ntemory of the bridge 
correlating the first and second ComputerLand 
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r * instructions stored in the memory of the bridge 
Vor intercepting the data packet, determining whether the 
information stored in the memory of the bridge correlates 
the first and second computers, and if so. decrypting the 
dam packet to generate a new data packet including a new 
address header, and transmitting the new data packet onto 
the seVond computer. 

\ 1£ The system of claim 18 r where the data 

packet includes an address header and a body, the body 
including the new data packet in encrypted form. 

2q1 The method of claim 18, w herein the 

data packet includes a header storing key management 
information identifying an encryption method usecho 
encrypt the new data packet. 

21. The method of claim 18. wherein the 

new address header includes information indicating the 
first computer is a sourc e of the new data packet and the 
second computer is a destination of the new data packet. 

22, A methoM for receiving data packets 

transmitted from a first computer to a second computer 
through a bridge, the bridge including a processor and a 
memory, the memory storing instructions for decrypting 
data packets and information correlating the first and 
second computers, the method being cWried out according 
to instructions in the memory of the bridge and comprising: 

intercepting a data packet fromVhe second 
computer to the second computer portion of the data packet 
including information r epresentin g a n internetwork address 
of the first computer and an internetwork address of the 
second computer; \ 

determining whether the information stored in 
the memory of the bridge correlates the first and secmid 
computers, and if so. decrypting the data packet to generate 
a new data packet including a pew address header; and \ 
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transmitting the new data packet on to the second 
computer. 

\ 23. The system of cla im 22, where the data 
paclcet includes an address header and a body, the body 
including the new data packet in encrypted form. 

\24. The method of claim 22. wherein the 

data packetVncludes a header storing key management 
information identifying an encryption method used to 
encr ypt the n ew data packet. — 

25. \ The method of claim 22. wherein the 
new address headen includes information indicating the 
first computer is a source of the new data packet and the 
second computer is a Destination of the new data packet. 

26. A method of encrypting data packets. 

comprising: \ 

receiving a data packet from a source for a 
destination, the data packet includin g a header section and 
a data section, and the header section storing a source 
identifier and a destination identifier: 

determining whether thadata packet should be 
encrypted upon reference to at leastNpne of the source and 
destination identifiers: and \ 

if the data packet should be encrypted, 
encrypting the data packet to produce aA encrypted data 
packet. \ 

27. The method of claim 26l further 
comprising transmitting the encrypted data packet to the 
destination. \ 

28. The method of claim 26. wherein the 

determining whether the data packet should be encryp ted 
comprises accessing stored information that jndicates\ by 
presence or absence of the source identifier that data \ 
packets from the source should be encrypted. 
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^ 22, The method of claim 26, wherein the 

determining whether the data packet should be encrypted 
comprises acpessing stored information that indicates by 
presence or absence of a correlation between the source 
and destination identifiers that data packets from the source 
for the destination should be encrypted. 
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30. \ The method of claim 26. wherein the 
encrypted data jbacket includes an encrypted data packet 
header section and an encrypted data packet data section, 
the encrypted dat\ packet data section storing the encrypted 
data packet. 
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he method of claim 30. wherein the 



encrypted data packet Reader section stores the source and 
destination identifiers. 
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22, The method of claim 3Q» wherein the 

source is a host computer inV network and the encrypted 
data packet header section sto\es an identifier of the 
network. 

33. The method oY claim 30. wherein the 

destination is a host computer in a network and the 
encrypted data packet header sectior\ stores an identifier of 
the network. 
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24 The method of clain\ 26, wherein the 

source is a host computer or a network. 



35. The method of claim 26\wherein the 

destination is a host computer or a network. 
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36. A computer program productAfbr 

encrypting data packets, comprising: 

computer code that receives a data packet torn a 
source for a destination, the data packet including 3 header 




section and a data section, and the header section storing a 
Vsource identifier and a de stination identifier: 
\ computer code that determines whether the data 

packet should be encrypted upon reference to at least one 
of the source and destination identifiers: 

\ computer code that encrypts the data packet to 
produce an encrypted data packet if the data packet should 
be encrypted: and 

\ a computer readable medium that storesthe 
computer Vodeg. 

37\ The computer program product of 
claim 36. wherein the computer readable medium is a 
memory, random-access-memory. read-only-memory, disk 
drive, or CD-ROW- 

38. A computer system for encrypting data 
packets, comprising: \ 

a processor: \ 

a computer rekdable medium coupled to the 
processor storing a computer program comprising: 

computer code tHat receives a data packet from a 
source for a destination, the Wa packet including a header 
section and a data section, anoW header section storing a 
source identifier and a destination identifier; 

computer code that determines whether the data 
packet should be encrypted upon reference to at least one 
of the source and destination identifiers: and 

computer code that encrvptk the data packet to 
produce an encrypted data packet if the\data packet should 
be encrypted. \ 

39. The computer program product of 

claim 38. wherein the computer readable medium is a 
memory, random-access-memory, read-on ly-memory. disk 
drive, or CD-ROM. \ 



4a 

comprising: 



A metho d o f decrypting data packi 
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^ receiving a data packet from a source for a 
destination, the data packe t including a header section and 
a data section, and the header section storing a sourpe 
identifier and a destination identifier; 

determining whether the data packet is encrypted 
upon reference to at least one of the source and destination 
identifiers: and 

iKthe data packet is encrypted, decrypting the 
data packet ro produce a decrypted data packet. 

41. \ The method of claim 40. further 
comprising transmitting the decrypted data packet to the 
destination. 



15 42. Trie method of claim 40. wherein the 

determining whether trA data packet is encrypted 
comprises a ccessing stored information that indicates bv 
presence or absence of the\source identifier that data 
packets from the source areTencrypted. 

20 

43. The methoYl of claim 40. wherein the 

determining whether the data packet is encrypted 
comprises accessing stored jnforrWion that indicates by 
presence or absence of a correlati oh between the source 

25 and destination identifiers that data jackets frorn the source 

for the destination are encrypted. 

44. The method o f claimVtO. wherein the 

data section of the data packet includes amencrypted 

30 header section and an encrypted data section^ for the 

decrypted data packet. 

45. The method of claim 44. wheVein the 

encrypted header section stores the source and destination 

35 identifiers. 

4(L The method of claim 44, wherein tfl 

source is a network and the encrypted header section stor\s 
an identifier of a host computer in the network. 
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^ 47. The method of claim 44. wherein the 
destination is a network and the encrypted header section 
storesfoi identifier of a ho st computer jn thg network. 



48. The method of claim 40. wherein the 

source is)a host computer or a network. 
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4§. The method of claim 40. wherein the 

destination is\a host computer or a network. 
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50. \ A co mputer program product for 
decrypting d ata rackets, comprising: 

computer code that receives a data packet from a 
source for a destination, the data packet including a header 
section and a data section, and the header section storing a 
source identifier and a destination identifier: 

computer colde that determines whether the data 
packet is en crypted upon reference to at least one of the 
source and d estination identifiers: 

computer codeVhat decryp ts the data packet to 
produce a d ecrypted data jacket if the data packet is 
encrypted: and 

a computer readabl^ medium that stores the 
computer codes. — - 
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51. The computer program product of 
claim 50. wherein the computeAreadable medium is a 
memory, random-access-memory, r^ad-only-memory. disk 
drive, or CD-ROM. 
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52. A computer system for decrypting data 

packets, comprising: 
a processor: 

a computer readable medium coupled to the 
processor sto ring a computer program, comprising: 

com puter code that receives a data packet from a 
source f o r a destination, the data packet including k header 
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I section and a data section, and the header section storing a 
^vsource\dentifier and a destination identifier; 

Vcornputer code that determines' whether the datq 
packet is^ancrypted upon reference to at least one of the 
source and ofestination identifiers: and 

computerNcode that decrypts the data packet to 
produce a de^rvpted^crata packet if the data packet is 
encrypted. 
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The computer program 



claim 52. wherain the computer readable mediunWs a 
memory, randornVaccess-mernory. read-only-memory. <jigk 



